Closed Bug 657201 (CVE-2011-2368) Opened 9 years ago Closed 9 years ago

WebGL crash [@createProgram/@gldCopyTexSubImage]

Categories

(Core :: Canvas: WebGL, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla6
Tracking Status
firefox5 + fixed
status2.0 --- wanted
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: posidron, Assigned: bjacob)

References

(Blocks 1 open bug)

Details

(Whiteboard: [sg:critical?])

Attachments

(5 files)

Attached file testcase
Sometimes it crashes in createProgram, sometimes in gldCopyTexSubImage.

The bug is currently only reproducible against:

ProductName:	Mac OS X
ProductVersion:	10.6.7
BuildVersion:	10J869
OpenGL renderer string: ATI Radeon HD 6750M OpenGL Engine
OpenGL version string: 2.1 ATI-1.6.32

I have marked this as a security issue because I get some write violations at different places.
Attached file callstack1-read-0
Attached file callstack2-write-0
Summary: WebGL crash [@gldCopyTexSubImage] → WebGL crash [@createProgram/@gldCopyTexSubImage]
Oh oh, really interesting! All 3 crashes have in common to be happening inside of glValidateProgram(). In bug 593867, we already decided to avoid calling glValidateProgram on Macs with NVIDIA cards. Now you're getting problems with a ATI card --> let's completely avoid glValidateProgram() which means that it wasn't NVIDIA specific.
Chris, I had filed Apple bug 9129482, but it got closed as "missing information". It seems that this bug could use some pushing by an Apple insider ;-)
Attachment #532643 - Flags: review?(christoph.diehl)
Note: it's also very interesting to have this on Mac OS 10.6.7. My Apple bug got closed as I was unable to confirm whether it still happened on 10.6.7.
Fixed - thanks Benoit.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
We should keep this bug open until it's actually fixed in the tree! Please review my patch or tell me if you would like me to find someone else.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Oh. Sorry for closing it to early.

I already reviewed your patch, applied it to my build and checked it against the provided testcase. ;)
Welcome to Mozilla bureaucracy: if you approve my patch, please click 'Details', then on the 'review' line, select '+'.

Then we will land it, paste here a link to the changeset, and finally close this bug.
Attachment #532643 - Flags: review?(christoph.diehl) → review+
Attachment #532643 - Flags: approval-mozilla-aurora?
status2.0: --- → wanted
Whiteboard: [sg:critical?]
Attachment #532643 - Flags: approval-mozilla-beta?
Blocks: 658170
Attachment #532643 - Flags: approval-mozilla-beta?
Attachment #532643 - Flags: approval-mozilla-beta+
Attachment #532643 - Flags: approval-mozilla-aurora?
Comment on attachment 532643 [details] [diff] [review]
really disable validateProgram() on Mac

Please land this change on both Aurora and Beta. (In the future, getting changes in during Aurora will save you this extra step.)
Attachment #532643 - Flags: approval-mozilla-aurora+
mozilla-central:
http://hg.mozilla.org/mozilla-central/rev/9ca849387799

I didn't realize that this was now sg-critical, sorry. Will land on aurora and beta ASAP.
Status: REOPENED → RESOLVED
Closed: 9 years ago9 years ago
Resolution: --- → FIXED
Assignee: nobody → bjacob
Pushed to Beta:
http://hg.mozilla.org/releases/mozilla-beta/rev/eba2dce26189

The fix was already on Aurora, as the Central->Aurora merge happened since I landed on Central.
Attachment #532643 - Flags: approval-mozilla-aurora+
Alias: CVE-2011-2368
Group: core-security
Target Milestone: --- → mozilla6
The workaround that was added in this issue is about 5 years old now. Marked down bug 1284425 to discuss if the workaround is relevant any more on recent OS X versions.
You need to log in before you can comment on or make changes to this bug.